remove unnecessary groks
This commit is contained in:
pemontto
@ -33,13 +33,6 @@ filter {
|
|||||||
remove_field => ["scan_time"]
|
remove_field => ["scan_time"]
|
||||||
}
|
}
|
||||||
|
|
||||||
#If using filebeats as your source, you will need to replace the "path" field to "source"
|
|
||||||
# Remove when scan name is included in event (current method is error prone)
|
|
||||||
grok {
|
|
||||||
match => { "path" => "([a-zA-Z0-9_.\-]+)_%{INT}_%{INT:history_id}_%{INT}.json$" }
|
|
||||||
tag_on_failure => []
|
|
||||||
}
|
|
||||||
|
|
||||||
mutate {
|
mutate {
|
||||||
convert => { "cvss" => "float"}
|
convert => { "cvss" => "float"}
|
||||||
convert => { "cvss_base" => "float"}
|
convert => { "cvss_base" => "float"}
|
||||||
|
|||||||
@ -6,11 +6,19 @@
|
|||||||
|
|
||||||
input {
|
input {
|
||||||
file {
|
file {
|
||||||
path => [ "/opt/VulnWhisperer/data/qualys/*.json" , "/opt/VulnWhisperer/data/qualys_web/*.json", "/opt/VulnWhisperer/data/qualys_vuln/*.json"]
|
path => [ "/opt/VulnWhisperer/data/qualys_vuln/*.json" ]
|
||||||
type => json
|
|
||||||
codec => json
|
codec => json
|
||||||
start_position => "beginning"
|
start_position => "beginning"
|
||||||
tags => [ "qualys" ]
|
tags => [ "qualys_vuln" ]
|
||||||
|
mode => "read"
|
||||||
|
start_position => "beginning"
|
||||||
|
file_completed_action => "delete"
|
||||||
|
}
|
||||||
|
file {
|
||||||
|
path => [ "/opt/VulnWhisperer/data/qualys_web/*.json" ]
|
||||||
|
codec => json
|
||||||
|
start_position => "beginning"
|
||||||
|
tags => [ "qualys_web" ]
|
||||||
mode => "read"
|
mode => "read"
|
||||||
start_position => "beginning"
|
start_position => "beginning"
|
||||||
file_completed_action => "delete"
|
file_completed_action => "delete"
|
||||||
@ -25,11 +33,6 @@ filter {
|
|||||||
remove_field => ["scan_time"]
|
remove_field => ["scan_time"]
|
||||||
}
|
}
|
||||||
|
|
||||||
grok {
|
|
||||||
match => { "path" => [ "(?<tags>qualys_vuln)_scan_%{DATA}_%{INT}.json$", "(?<tags>qualys_web)_%{INT:app_id}_%{INT}.json$" ] }
|
|
||||||
tag_on_failure => []
|
|
||||||
}
|
|
||||||
|
|
||||||
if "qualys_web" in [tags] {
|
if "qualys_web" in [tags] {
|
||||||
mutate {
|
mutate {
|
||||||
add_field => { "asset" => "%{web_application_name}" }
|
add_field => { "asset" => "%{web_application_name}" }
|
||||||
|
|||||||
@ -7,7 +7,6 @@
|
|||||||
input {
|
input {
|
||||||
file {
|
file {
|
||||||
path => "/opt/VulnWhisperer/data/openvas/*.json"
|
path => "/opt/VulnWhisperer/data/openvas/*.json"
|
||||||
type => json
|
|
||||||
codec => json
|
codec => json
|
||||||
start_position => "beginning"
|
start_position => "beginning"
|
||||||
tags => [ "openvas_scan", "openvas" ]
|
tags => [ "openvas_scan", "openvas" ]
|
||||||
@ -26,11 +25,6 @@ filter {
|
|||||||
remove_field => ["scan_time"]
|
remove_field => ["scan_time"]
|
||||||
}
|
}
|
||||||
|
|
||||||
grok {
|
|
||||||
match => { "path" => "openvas_scan_%{DATA}_%{INT}.json$" }
|
|
||||||
tag_on_failure => []
|
|
||||||
}
|
|
||||||
|
|
||||||
# TODO - move this mapping into the vulnwhisperer module
|
# TODO - move this mapping into the vulnwhisperer module
|
||||||
translate {
|
translate {
|
||||||
field => "[risk_number]"
|
field => "[risk_number]"
|
||||||
|
|||||||
Reference in New Issue
Block a user